Did you know that it’s considered common for a hacker to have access to a system months before an exploit? This extra time allows the criminal to infiltrate your systems, explore your network and learn your habits, and understand what is important to you and the company.
Some things never change. As the list of cyber concerns continues to grow and cybercriminals invent more elaborate schemes – crypto-mining, ransomware, third-party and supply chain attacks, phishing and malware exploits, DDoS attacks – this is a reminder that it is especially important for all businesses to practice basic cyber hygiene and follow/update industry best practices.
With so many types and ranges of security threats, it can feel overwhelming to get started. To break it down, here is a simple, 4-step cycle that every organization can follow for basic cyber hygiene.
4 Steps for Maintaining Good Cyber Hygiene
A company should identify and quantify the level of risk associated with information technology and their IT assets by completing and maintaining a written IT Risks and Controls Assessment.
- Considerations may include: web-based interfaces, third-party risk, physical security, and cyber concerns.
- A data flow diagram should also be in place so there is a clear understanding of how all assets are connected to the network and each other, segregated, and protected.
Employees and owners cannot be expected to understand all relevant and critical expectations if they are not laid out in a clear, concise, written and professional manner. Upon completion of the IT Risks and Controls Assessment, the organization should unveil high risk areas to address concerns in a systematic and organized way. Creating policies and procedures to govern the IT assets will help to mitigate risks, and will provide a roadmap and set expectations for the enterprise assets.
Next, implement the plan to mitigate and protect against those risks.
- Adopt technical controls, including content filtering, anti-spam, anti-malware, endpoint protection, reputation services, quarantine/sandboxing services, and email filters, which will help to stop hackers from getting into your organization.
- Educate and test employees within to spot and respond to phishing and other forms of social engineering that can squeak by even your best defenses.
- Employ a IT person or consultant to ensure all critical patches are tested and applied in a timely manner. Patches may need to be dispatched on operating systems, browsers, browser-add-ons, web server software, database software, and remote management software.
- Ensure written password guidelines are current and enforced. This could include password length, complexity, and allowable attempts. It is a best practice to also turn on account logons to lock out an account after so many guesses. (These specifications should be included in your comprehensive set of policies mentioned above.)
Every organization should establish a baseline for normal operations. This will allow for early warning when the inevitable happens.
- Implement detection controls such as: intrusion detection systems, endpoint detection, network traffic analysis or honeypots.
An early detection system could help discover these threats and shut them down (respond) before a crisis strikes.
Understand that breaches are common and even with the best defenses the worst could happen. Should your data and credentials become stolen (and data encrypted), you will need to stop the damage the best you can, find out how the hackers got in, shut off continued access, and plot a recovery plan.
Businesses should have an incident response management plan in place to address these items. The plan should address how to best protect and defend your organization, customers, and employees and should be updated regularly to include the ever evolving threats. And finally, once the threat is maintained, a business continuity management plan would need to be enacted to get operations running back to normal.
Contact a Pinion advisor regarding cybersecurity best practices or IT infrastructure planning and implementation.